Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5924
Views
5
Helpful
6
Replies

Dowloadable ACL VPN Radius

Go to solution
JeromeTechie1
Level 1
Level 1

‎03-30-2013 11:42 AM - edited ‎03-10-2019 08:15 PM

Hello everyone,

I am trying to configure downloadable ACL through a 3rd party radius server (MS NPS).

At this point I understood this was done through the cisco-av-pair attribute.

However I have found little resources as to the configuration i need to do on my ASA for this to work.

So far i can authenticate on the ASA through Radius. VPN users as well as ASA management.

But specific commands for downloadable ACL to work i am lost.

Thanks to those who can help out

Sent from Cisco Technical Support iPhone App

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
bcoverstone
Level 1
Level 1
In response to bcoverstone

‎04-05-2021 07:24 PM - edited ‎04-05-2021 07:32 PM

Tonight I just got dACLs working in NPS with both a switch and an ASA firewall.

Last week I had the per user ACLs finally working, but like the guy said, it creates an ACL per user, which gets a little hairy when you look at the config. Even though they clear out when the user logs off.

 

Here are some notes I came up with while working thorugh dACLs on NPS:

1) The format between dACLs and per-user ACLs seems identical. Hooray.

2) You need to know how the download conversation goes. It's actually fairly trivial once you see it work, where the "username" is the ACL being requested and there are a couple of VSA's added in for security to mark the type of request. Here is a link describing the conversation with examples: CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1 - Configuring AAA for Network Access [Cisco ASA 5500-X Series Firewalls] - Cisco

3) You need to make sure you lock down NPS so it will not respond positively to someone "spoofing" ACL names on a VPN. Since the NPS server cannot seem to use VSA entries as "Conditions" to check for, I had to find another attribute that I could anchor against that was secure. I am using the "Calling Station ID" attribute, which is always present when the switch/ASA is representing an endpoint, but not when it downloads an ACL. That attribute's behavior doesn't strike me as something that is likely to change anytime soon.

4) NPS needs to be able to return these ACLs without having to create Active Directory accounts to match the ACL names. To do this there is an option in the "Connection Request Policies" to "Accept users without validation credentials".

5) The ASA and switches use a different ACL naming formats. The ASA must have "#ACSACL#" at the beginning of the name or it will not download the ACL. If the switches do have "#ACSACL#" at the beginning, they will fail even though they download the ACL. So the policies must have an internal naming convention and use regex to check for only the end of the ACL. i.e. "#ACSACL#DACL-MyACL" for the ASA, "DACL-MyACL" for the switch, and the match in NPS that will handle both would be User-Name: "DACL-Test$"

6) I found that I don't need the hash at the end of the ACL name and everything seems to still work just fine. I don't know if there is any downside to this yet.

 

If I get time later this year, I might write a step by step article how to do this...

If or until that happens, if you have any questions about any aspects on how I got this working, please feel free to ask.

View solution in original post

6 Replies 6

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-30-2013 09:58 PM

Hello Jerome,

can you please re-phrase your questoin?

There are commands that you are not able to apply on the ASA after you loging via RADIUS?

Or you want to configure the VSA for downloadable ACL on your MS NPS and you forgot how?

Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
JeromeTechie1
Level 1
Level 1
In response to Amjad Abdullah

‎03-31-2013 12:12 AM

Hi Amjad,

Thanks for answering. To make it extra simple i am trying to configure Downloadable ACL for VPN users (AnyConnect) through NPS MS radius. I didn't forget how simply because it's my first time doing it on the ASA xd.

Feel free to give Configuration steps if it's not too much to ask from you this way i can check where I messed up.

If what I am asking is still not clear please let me know I'll try come up with a better sentencing.

Thanks a lot

PS I know on a switch when using 802.1x the configuration steps on the switch is similar to this

Router(config)# aaa authorization network default group radius

Router(config)# radius-server vsa send authentication

  • not sure if there is an equivalent ont he ASA

Router(config)# ip device tracking

  • not sure if there is an equivalent either ont he ASA but probably useless regardless
0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to JeromeTechie1

‎03-31-2013 01:05 AM

Try this config example about what to do on the ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml

For corresponding config on NPS you may contact MS support.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
JeromeTechie1
Level 1
Level 1
In response to Amjad Abdullah

‎03-31-2013 01:30 AM

Thanks Amjad,

I already read that document but I'll give it another shot.

However I would like to confirm one thing.

From what i understand there are 3 ways to deploy dowloadable ACL.

1. Through cisco avpair attribute. With this method any raffius server can send acl to a cisco device. The acl is only configured on the radius server and is downloaded on a per user logn basis, and flushed afterward.

2. Through radius filter-id. With this method the acl is configure on the Cisco equipment and is applied when the user logs in by the radius server which has the acl name referenced in the filter-id.

3. Cisco proprietary ACS dacl which allows to confgure ACLs only once on the server and can be assigned easily unlikethe radius avpair which needs to be reconfigured on every policy. In addition there is no size restriction unlike the avpair.

Please correct me if am wrong or feel free to add the missing pieces

0 Helpful

Go to solution
bcoverstone
Level 1
Level 1
In response to Amjad Abdullah

‎02-04-2018 03:35 PM

I know this is almost five years old, but you said to contact Microsoft tech support to learn how to create a downloadable ACL that will work on Cisco.

 

You must realize that I could script an entire season of The Office with the ridiculous outcomes of that phone call.

0 Helpful

Go to solution
bcoverstone
Level 1
Level 1
In response to bcoverstone

‎04-05-2021 07:24 PM - edited ‎04-05-2021 07:32 PM

Tonight I just got dACLs working in NPS with both a switch and an ASA firewall.

Last week I had the per user ACLs finally working, but like the guy said, it creates an ACL per user, which gets a little hairy when you look at the config. Even though they clear out when the user logs off.

 

Here are some notes I came up with while working thorugh dACLs on NPS:

1) The format between dACLs and per-user ACLs seems identical. Hooray.

2) You need to know how the download conversation goes. It's actually fairly trivial once you see it work, where the "username" is the ACL being requested and there are a couple of VSA's added in for security to mark the type of request. Here is a link describing the conversation with examples: CLI Book 2: Cisco ASA Series Firewall CLI Configuration Guide, 9.1 - Configuring AAA for Network Access [Cisco ASA 5500-X Series Firewalls] - Cisco

3) You need to make sure you lock down NPS so it will not respond positively to someone "spoofing" ACL names on a VPN. Since the NPS server cannot seem to use VSA entries as "Conditions" to check for, I had to find another attribute that I could anchor against that was secure. I am using the "Calling Station ID" attribute, which is always present when the switch/ASA is representing an endpoint, but not when it downloads an ACL. That attribute's behavior doesn't strike me as something that is likely to change anytime soon.

4) NPS needs to be able to return these ACLs without having to create Active Directory accounts to match the ACL names. To do this there is an option in the "Connection Request Policies" to "Accept users without validation credentials".

5) The ASA and switches use a different ACL naming formats. The ASA must have "#ACSACL#" at the beginning of the name or it will not download the ACL. If the switches do have "#ACSACL#" at the beginning, they will fail even though they download the ACL. So the policies must have an internal naming convention and use regex to check for only the end of the ACL. i.e. "#ACSACL#DACL-MyACL" for the ASA, "DACL-MyACL" for the switch, and the match in NPS that will handle both would be User-Name: "DACL-Test$"

6) I found that I don't need the hash at the end of the ACL name and everything seems to still work just fine. I don't know if there is any downside to this yet.

 

If I get time later this year, I might write a step by step article how to do this...

If or until that happens, if you have any questions about any aspects on how I got this working, please feel free to ask.

Customers Also Viewed These Support Documents